France’s top cybersecurity official is pushing Europe to stop U.S. law enforcement from accessing critical data stored within Europe by U.S. cloud companies.
European cybersecurity authorities are developing rules for cloud providers like Amazon, Microsoft, Google and others that would impose tougher cybersecurity rules under a new certification scheme, including on data management.
But Guillaume Poupard, director general of France’s cybersecurity agency, known as ANSSI, wants to go further by walling off critical services from the reach of foreign laws.
For services such as health care and financial services, Europe needs “a rule that only European law is applicable on cloud products certified in Europe,” he told POLITICO in an interview.
Under an American law known as the CLOUD Act, U.S. companies are obliged to provide foreign data to U.S. authorities if asked. But if Poupard has his way, new EU rules would prevent critical data from ending up with U.S. authorities.
The rule “would exclude the standard American and Chinese services” from offering services in critical sectors in Europe, said Poupard. “This is not about turning our backs on partners. But it’s about having the courage to say that we don’t want non-European law to apply to these services.”
European governments are trying to grow less dependent on U.S. cloud services as part of their drive toward “strategic autonomy,” the idea that Europe needs to keep control over technology policy, in part due to fears of spying and surveillance from the U.S.
The new cloud cybersecurity rule “will be a real test, a real objective for the political will to achieve strategic autonomy in the digital field,” Poupard said. “If we’re not capable to say this, the notion of European sovereignty doesn’t make sense.”
Poupard’s statements come two weeks before U.S. and EU officials meet to discuss cybersecurity, data privacy and other issues at the first meeting of a newly-formed Trade and Tech Council, in Pittsburgh on September 29.
At a gathering of digital leaders last week in Tallinn, Estonia, U.S. Secretary of Commerce Gina Raimondo lamented Europe’s increasing tendency to impose laws and efforts to keep EU data from being shipped to the U.S..
“I hope that we can all agree that requirements to keep data localized in country hurt all of our businesses, all of our economies, and all of our citizens,” Raimondo said, adding that data flows were key for avoiding “very expensive threats and attacks” as well as commercial gains.
Poupard’s proposal to block the extraterritorial reach of U.S. law is unlikely to be well received in Washington.
In 2018, the U.S. adopted the CLOUD Act, giving U.S. security services the authority to require Amazon, Google, Microsoft and others for access to data even if that data is stored in Europe. The law was drafted to resolve a legal dispute between the U.S. government and Microsoft that went to the U.S. Supreme Court in 2017.
The law drew scathing criticism from the EU, France and Germany in particular, and served as a catalyst for the European Union to try to depend less on American digital services, a strategy it calls “technological sovereignty,” especially in the cloud market. The bloc helped kickstart a project called Gaia-X, meant to set European cloud standards.
The EU’s cybersecurity agency ENISA is working to finalize new cloud cybersecurity certification, which it will likely finish next year.
Poupard said the agency was finalizing the new scheme, but still needs the political endorsement of European leaders, especially if they want to cut the U.S. government’s access to certain data.
“If there isn’t a political will to apply strict rules, GAFAM companies [Google, Amazon, Facebook, Apple, Microsoft] won’t make the effort and stick with their own standards,” he said.
Poupard added that U.S. cloud providers are working with France and Germany on ways to avoid being exposed to the CLOUD Act. “The idea is to set our rules and then look at how this doesn’t conflict with U.S. services,” he said.
U.S. companies have read the room. In Germany, telecoms operator Deutsche Telekom announced last week that it will launch a “sovereign cloud” in partnership with Google, in which it offers Google’s services but with local controls over the data. In France, local firms Capgemini and Orange announced a service called “Bleu,” which offers Microsoft services through a new, local entity that offers clients “immunity” from U.S. extraterritorial law, the companies said in May. The same month, Microsoft announced it will store the data of all its European commercial and public data customers in Europe.
These initiatives bring a “natural immunity from the CLOUD Act,” Poupard said. “But for critical services, we need to be clearer still,” he added.